AIS Chapter 10 Reading Questions

IIA

(institute of internal auditors) organization for internal auditors

Correct statements about COBIT

-COBIT is a generally accepted framework for IT governance and management -COBIT 5 enables IT to be governed in a holistic manner by taking in IT responsibility and considering the IT-related interests of stakeholders -COBIT 5 integrates other frameworks and standards such as ITIL (Information Technology Infrastructure Library) and ISO (International Organization for Standardization) 27000 series

What are some examples of detective controls

-Prepare monthly bank reconciliation -Prepare monthly trial balances -count inventory periodically

Given your understanding of COSO ERM framework, select factors regarding internal environment

-a firms integrity and ethical values -a firm's human resource policies/practices and development of personnel -a firm's risk management philosophy and risk appetite -a firm's organizational structure, board of directors and the audit committee

What are some examples of preventive controls

-require authorization before recording transactions -proper segregation of duties in daily operations

What is the impact of Sarbanes-Oxley Act 2002 (SOX) on the accounting profession?

-under SOX, the PCAOB replaces AICPA to issue audit standards -SOX established the PCAOB to regulate and audit public accounting firms

What are some examples of corrective controls

-using a backup file to recover corrupted data

To support a firm in its efforts to achieve internal control objectives, COSO 2013 suggests five component of internal control

1. Control environment 2. Risk Assessment 3. Control Activities 4. Information and communication 5. Monitoring Activities

What is Enterprise Risk Management (ERM)

1. ERM identifies potential events that many affect the firm 2. ERM manages risk to be within the firm's risk appetite 3. ERM provides reasonable assurance regarding the achievement of the firm's objective It involves a company's board of directors, management, and other personnel in the process It is applied in strategy setting and across the enterprise it aims to provide reasonable assurance regarding the achievement of objectives

COSO ERM framework indicates that

1. ERM identifies potential events that may affect the firm 2. ERM manages risk to be within the firm's risk appetite 3. ERM provides reasonable assurance regarding the achievement of the firm's objectives

COSO ERM

A framework expands from internal control to risk management that can be applied to all firms

T/F: The control objectives for information and related technology (COBIT) framework is an internationally accepted set of best IT security an control practices and is required by (PCAOB) to be used for SOX section 404 audit

False; the COBIT framework is an internationally accepted set of best IT security and control practices for IT management released by the IT Governance Institute (ITGI)

T/F: The most recent control framework designed by COSO is called control objectives for information and related technology

False; They created the "Internal Control- Integrated Framework" in 1992, and the Enterprise Risk Management - Integrated Framework"

COBIT defines the overall IT control framework, and ______ provides the details for IT service management which is released by the UK Office of Government Commerce and is the most widely accepted model for IT service management

ITIL

COBIT

a comprehensive framework for IT governance and management

ITIL

a frame focusing on IT infrastructure and IT service management

ISO 27000 series

a framework for information security management

COCO

a general internal control framework that can be applied to all firms

Application controls are specific to

a subsystem or an application to ensure the validity, completeness, and accuracy of the transactions. EX: When entering a sales transaction, use an input control to ensure the customer account number is entering accurately

Management selects risk responses and develops a set of actions to align risks with entity's risk tolerances and risk appetite. The four options to respond to risk are: reducing, sharing, avoiding, and ______ risks.

accepting

IT controls are a subset of a firm's internal controls and are categorized as IT general and ______ controls

application

Identify physical activities based on COSO internal control framework

authorization: to ensure transactions are valid segregation of duties: to prevent fraud and mistakes supervision: to compensate imperfect segregation of duties Accounting documents and records: to maintain audit trials access control: to ensure only authorized personnel have access to physical assets and information independent verification: to double check for errors and misrepresentations

Corrective controls fix problems that have been identified, such as using ______ files to recover corrupted data

backup

validity checks

compare data entering the system with existing data in a reference file to ensure only valid data are entered

What is a concurrent update controll

concurrent update controls prevent two or more users updating the same record simultaneously.

Per COBIT 5, IT management includes, planning, building, running and _________, activities in alignment with the direction necessary to achieve the firm's objectives

monitoring

Select a correct statement on the monitoring component of the COSO ERM framework

monitoring is the process of evaluating the quality of internal control design and operation and the effectiveness of the ERM model. The ERM components and internal control process should be monitored continuously and modified as necessary

Continual service improvement

ongoing improvement of the service and the measurement of process performance required for the service.

AICPA

organization for public accountants

requiring a signed source document before recording a transaction is a _______ control

preventive

During the objective setting stage, management should have a _____ in a place to set strategic, operations, reporting, and compliance objectives

process

COBIT

provides the best IT security and control practices for IT management

ITIL

provides the concepts and practices for IT service management

Internal and external events affecting achievement of a firm's objectives must be identified. When using COSO ERM framework, management must distinguish between ______ and ______ after identifying all possible events

risk and opportunity

Financial Total

sum of a field containing a dollar values

completeness checks

ensure all required data are entered for each record

field checks

ensure that the characters in a fields are of the proper type

General Controls pertain to

enterprise wide issues such as controls over accessing the network, developing and maintaining applications, documenting changes of programs, and so on ex: Require using user names and passwords to access the company's network require policy on developing and maintaining applications

The COSO ERM framework component ______________ _______________ firms identify events affecting achievement of their objectives

event identification

We define corporate ______ as a set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholder.

governance

The processes of making sure changes to programs and applications are authorized and documented are called change ____ controls. Changes should be tested prior to implementation so they do not affect system availability and reliability

management

Select the correct statement(s) regarding the concepts on internal control defined under COSO 2.0

1. Internal control is a process consisting of ongoing tasks and activities. It is a means to an ends, not an end in itself 2. Internal control is affected by people. It is not merely about policy manuals, systems, and forms. Rather it is about people at every level of a firm who affect internal control. 3. Internal control can provide reasonable assurance, not absolute assurance, to an entity's management and board. 4. Internal control is geared toward the achievement of objectives in one or more separate but overlapping categories. 5. Internal control is adaptable to the entity structure

Provide the process of risk assessment in correct sequence. The last step is to base on the results on the cost/benefit analysis, determine whether to reduce the risk by implementing a control or to accept, share, or avoid risk.

1. identify risks to the firm 2.estimate the likelihood of each risk occurring 3. estimate the impact 4. identify controls to mitigate the risk 5. estimate the cost and benefits of implementing the controls 6. perform a cost/benefit analysis for each risk and corresponding controls

The COSO 2.0 (COSO 2013) framework indicates that an effective internal control system should consist of three categories of objectives: operations objective, ______ objectives, and ____________ objectives.

1. operations objectives: effectiveness and efficiency of a firm's operations of financial performance goals and safeguarding assets 2. reporting objectives: reliability of reporting, including internal and external financial and non-financial reporting 3. Compliance objectives: adherence to applicable laws and regulations.

______ Controls finds problems when they arise

Detective

Size Check

Ensure the data fit into the size of a field

T/F: COBIT is one of the generally accepted internal control frameworks for enterprises. COSO is a generally accepted framework for IT governance and management

False

T/F: Each company should use only one of the control/governance frameworks in corporate and IT governance .

False

COBIT control objectives provide high-level requirements to be considered for effective control of IT processes. Three of the seven key criteria of business requirements for information in COBIT are about security and people often call them CIA: confidentiality, _________, and ___________

Integrity and Availability

ISACA

Organization for information system auditors

IMA

Organization for management accountants

The COSO ERM framework categorized objectives in the following four categories:

Strategic, Operations, Reporting, Compliance

Inherent Risk

The risk related to the nature of the business activity itself

T/F: Integrity and individual ethics are formed through a person's life experience

True

What are the main purposes of corporate governance

corporate governance can be defined as a set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholders. It also promotes accountability, fairness, and transparency in the organization's relationship with its stakeholders. 1. encourages the efficient use of the resources a firm has and protects the interests of a firm's stakeholders 2. to protect the interest of a firms stakeholders 3. To promote accountability and transparency in a firms operations

Record Count

indicates that the same total records are in the batch

The AICPA has indicated that issues on information security are critical to certified public accountants as one of the top 10 technologies that account professionals must learn. International Organization Standardization (ISO) 27000 series is designed to address ______________issues

information securities

IT application controls are activities specific to a subsystem's or applications ______ processing, and output

input

That are the purposes of the standards of ISO 27000 series?

it is designed to address information security issues

Service design

the design and development of IT services and service management processess

Service operation

the effective and efficient delivery and support of services, with a benchmarked approach for event, problem, and access management

Residual Risk

the product of inherent risk and control risk

Service strategy

the strategic planning of IT service management capabilities and the alignment of IT service and business strategies

Hash Total

the sum of a numeric field, such as employee number, which normally would not be the subject of arithmetic operations.

Control Risk

the threat that errors or irregularities in the underlying transactions will not be prevented, detected, and corrected by the internal control system

Service transisition

the transition from strategy to design, and maintaining capabilities for the ongoing delivery of a service